cfn-vpn 1.3.1 → 1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 672ae92015c16fcc2ce33e05a22ca651b4974d4669d91115c2f5d49b36aa4062
-  data.tar.gz: 3e595961778b5d67112b6219d690cd589e8523813f22e7a3a196dfab6d77d59d
+  metadata.gz: d057b56046024cd10c21a62c616fb41ef38be5443860e5b7c33593638c1e3e23
+  data.tar.gz: feec8bfb3aece7986731846dbcb7f7d9c165029cef2f3cd48677f07eafea992e
 SHA512:
-  metadata.gz: fee3ea79a3c51a77aaa5b6be535fc950ecfd32de121e6aadd363ef4def0af7fe201b414624036d9553f8a7158cb9e6fe16189972b599bcfd8df688c0dec09051
-  data.tar.gz: 4bcc5243d2365706f57d07bf2c0cbad79debde39952d8535407cd58fb26d5d1e77857cedbf0170d726c8a56c7f70a2a90a26349991a0c3a7bf51fd824eae2bb4
+  metadata.gz: cd2f72dba1ad154853d7b6493f3bb4a84a8443a9a97bbe557e5ce2f6bc938f5a765008364a7f91a12e390d4cdb1e9e22adec45dbfdb37036e7c9bac841f1d2c3
+  data.tar.gz: 26d45cbb3f81877a5ab7c6555ed3d91cba1410d206229cf7b594263708991f297009c79744802af17e1f6be903c349f8ac93bed891f67d94b23e914f60ae650f

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cfn-vpn (1.2.0)
+    cfn-vpn (1.3.4)
       aws-sdk-acm (~> 1, < 2)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-ec2 (~> 1.95, < 2)
@@ -24,7 +24,7 @@ GEM
     aws-sdk-cloudformation (1.49.0)
       aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.113.0)
+    aws-sdk-core (3.119.0)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)

data/docs/README.md

@@ -41,4 +41,5 @@ For further information on the authentication types please visit https://docs.aw
 3. [Managing Certificate Users](certificate-users.md)
 4. [Managing Routes](routes.md)
 5. [Stop and Start Client-VPN](scheduling.md)
-6. [Managing Sessions](sessions.md)
+6. [Managing Sessions](sessions.md)
+7. [Slack Notifications](slack-notifications.md)

data/docs/certificate-users.md

@@ -85,5 +85,5 @@ Modify base2-ciinabox.config.ovpn to include the full location of your extracted
 	echo "key /<path>/user1.key" >> myvpn.config.ovpn
 	echo "cert /<path>/user1.crt" >> myvpn.config.ovpn
 
-Open myvpn.config.ovpn with your favourite openvpn client.
+Open myvpn.config.ovpn with your favorite openvpn client.
 ```

data/docs/getting-started.md

@@ -50,7 +50,7 @@ This is the default option when launching a ClientVPN using certificated based a
 The following command and required options will launch a new certificate based Client-VPN
 
 ```sh
-cfn-vpn init [name] --bucket [s3-bucket] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn]
+cfn-vpn init [name] --bucket [s3-bucket] --server-cn [server certificate name] --subnet-ids [list of subnets to associate with the vpn]
 ```
 
 
@@ -63,19 +63,38 @@ This option is for when you want to manage users through an external directory p
 The following command and required option will launch a new federated based Client-VPN
 
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnets to associate with the vpn] \
+  --saml-arn [identity provider arn]
 ```
 
 The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. 
 
+```diff
+! Group id's must be used if creating authorization rules. 
+! Each SAML provider will have different group id's and means of retrieving them.
+```
+
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --default-groups [list of group ids]
 ```
 
 **AWS SSO**
 
 If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
 
+If you want to leverage the Self Service Portal you need to add the specify the `--saml-self-service-arn [self service identity provider arn]` You can follow the example here https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ on how to setup the self sign-on sso application
+
+```sh
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --saml-self-service-arn [self service identity provider arn] \
+  --default-groups [list of group ids]
+```
 
 ### AWS Directory Services Authenticated VPN
 
@@ -84,13 +103,18 @@ This option integrates Microsoft Active Directory or Simple AD through AWS Direc
 The following command and required option will launch a new directory service based Client-VPN
 
 ```sh
-cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subnets to associate with the vpn] \
+  --directory-id [aws directory service id]
 ```
 
 The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
 
 ```sh
-cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id] --default-groups [list of group ids]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subnets to associate with the vpn] \
+  --directory-id [aws directory service id] \
+  --default-groups [list of group ids]
 ```
 
 See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
@@ -104,25 +128,30 @@ When using a federated ClientVPN you can modify the default auth to only allow s
 
 ```
 Options:
-  r, [--region=REGION]                         # AWS Region
-                                               # Default: ap-southeast-2
-      [--verbose], [--no-verbose]              # set log level to debug
-      --server-cn=SERVER_CN                    # server certificate common name
-      [--client-cn=CLIENT_CN]                  # client certificate common name
-      [--easyrsa-local], [--no-easyrsa-local]  # run the easyrsa executable from your local rather than from docker
-      [--bucket=BUCKET]                        # s3 bucket
-      --subnet-ids=one two three               # subnet id to associate your vpn with
-      [--default-groups=one two three]         # groups to allow through the subnet associations when using federated auth
-      [--cidr=CIDR]                            # cidr from which to assign client IP addresses
-                                               # Default: 10.250.0.0/16
-      [--dns-servers=one two three]            # DNS Servers to push to clients.
-      [--split-tunnel], [--no-split-tunnel]    # only push routes to the client on the vpn endpoint
-                                               # Default: true
-      [--internet-route=INTERNET_ROUTE]        # [subnet-id] create a default route to the internet through a subnet
-      [--protocol=PROTOCOL]                    # set the protocol for the vpn connections
-                                               # Default: udp
-                                               # Possible values: udp, tcp
-      [--start=START]                          # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
-      [--stop=STOP]                            # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
-      [--saml-arn=SAML_ARN]                    # IAM SAML idenditiy providor arn if using SAML federated authentication
-```
+  r, [--region=REGION]                                     # AWS Region
+                                                           # Default: ap-southeast-2
+      [--verbose], [--no-verbose]                          # set log level to debug
+      --server-cn=SERVER_CN                                # server certificate common name
+      [--client-cn=CLIENT_CN]                              # client certificate common name
+      [--easyrsa-local], [--no-easyrsa-local]              # run the easyrsa executable from your local rather than from docker
+      [--bucket=BUCKET]                                    # s3 bucket, if not set one will be generated for you
+      --subnet-ids=one two three                           # subnet id to associate your vpn with
+      [--default-groups=one two three]                     # groups to allow through the subnet associations when using federated auth
+      [--cidr=CIDR]                                        # cidr from which to assign client IP addresses
+                                                           # Default: 10.250.0.0/16
+      [--dns-servers=one two three]                        # DNS Servers to push to clients.
+      [--split-tunnel], [--no-split-tunnel]                # only push routes to the client on the vpn endpoint
+                                                           # Default: true
+      [--internet-route=INTERNET_ROUTE]                    # [subnet-id] create a default route to the internet through a subnet
+      [--protocol=PROTOCOL]                                # set the protocol for the vpn connections
+                                                           # Default: udp
+                                                           # Possible values: udp, tcp
+      [--start=START]                                      # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
+      [--stop=STOP]                                        # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
+      [--saml-arn=SAML_ARN]                                # IAM SAML identity provider arn if using SAML federated authentication
+      [--saml-self-service-arn=SAML_SELF_SERVICE_ARN]      # IAM SAML identity provider arn for the self service portal
+      [--directory-id=DIRECTORY_ID]                        # AWS Directory Service directory id if using Active Directory authentication
+      [--slack-webhook-url=SLACK_WEBHOOK_URL]              # slack webhook url to send notifications from the scheduler and route populator
+      [--auto-limit-increase], [--no-auto-limit-increase]  # automatically request a AWS service quota increase if limits are hit for route entry and authorization rule limits
+                                                           # Default: true
+```

data/docs/routes.md

@@ -96,3 +96,51 @@ run the `modify` command and supply the yaml file to apply the changes
 ```sh
 cfn-vpn routes [name] --params-yaml cfnvpn.[name].yaml
 ```
+
+## Route Limits
+
+Client VPN have a number of service limits associated with it some of which can be increased and may need to be increased by default.
+
+| Name | Default | Adjustable | 
+| --- | --- | --- | 
+| Authorization rules per Client VPN endpoint | 50 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-9A1BC94B) | 
+| Client VPN disconnect timeout | 24 hours | No | 
+| Client VPN endpoints per Region | 5 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-8EA77D34) | 
+| Concurrent client connections per Client VPN endpoint |  This value depends on the number of subnet associations per endpoint\. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpn/latest/clientvpn-admin/limits.html)  | [Yes](https://console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-C4B238BF) | 
+| Concurrent operations per Client VPN endpoint † | 10 | No | 
+| Entries in a client certificate revocation list for Client VPN endpoints | 20,000 | No | 
+| Routes per Client VPN endpoint | 10 | [Yes](https://console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-401D78F7) | 
+
+† Operations include:
++ Associate or disassociate subnets
++ Create or delete routes
++ Create or delete inbound and outbound rules
++ Create or delete security groups
+
+Check out the AWS [docs](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/limits.html) for up to date details
+
+### Increasing Limits
+
+**Automatic**
+
+cfn-vpn supports automatically creating requests to increase the limits for `Routes per Client VPN endpoint` (by 10) and `Authorization rules per Client VPN endpoint` (by 20).
+
+This functionality is enabled by default but can be disabled by modifying the vpn setting the `--no-auto-limit-increase` flag
+
+```sh
+cfn-vpn modify [name] --no-auto-limit-increase
+```
+
+**Manual**
+
+`Routes per Client VPN endpoint`
+
+```sh
+aws service-quotas request-service-quota-increase --service-code ec2 --quota-code L-401D78F7 --desired-value [value]
+```
+
+`Authorization rules per Client VPN endpoint`
+
+```sh
+aws service-quotas request-service-quota-increase --service-code ec2 --quota-code L-9A1BC94B --desired-value [value]
+```

data/docs/slack-notifications.md

@@ -0,0 +1,35 @@
+# Slack Notifications
+
+Slack notifications can be enabled for both the [dynamic route populator](routes.md#dynamic-dns-routes) and the [scheduler](scheduling.md) to show events.
+
+## Enable
+
+Setup a Slack [incoming-webhook](https://api.slack.com/messaging/webhooks#getting_started) in your desired slack channel and grab the webhook url that'll look something like this:
+
+```
+https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
+```
+
+Next modify your VPN stack using the modify command and pass in url
+
+```sh
+cfn-vpn modify [name] --slack-webhook-url "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
+```
+
+## Route Events
+
+- `FAILED`: general failure
+- `NEW_ROUTE`: new route added to route table
+- `EXPIRED_ROUTE`: CIDR is no longer associated with DNS entry and is removed from the route table
+- `ROUTE_LIMIT_EXCEEDED`: no new routes can be added to the route table due to AWS route table limit
+- `AUTH_RULE_LIMIT_EXCEEDED`: no new authorization rules can be added to the rule list due to AWS auth rule limit
+- `RESOLVE_FAILED`: failed to resolve the provided dns entry
+- `SUBNET_NOT_ASSOCIATED`: no subnets are associated with the Client VPN
+- `QUOTA_INCREASE_REQUEST`: automatic quota increase made 
+
+## Scheduler Events
+
+- `START_IN_PROGRESS`: associating subnets with the Client VPN
+- `STOP_IN_PROGRESS`: disassociating subnets with the Client VPN
+- `START_FAILED`: failed to associated subnets with the Client VPN
+- `STOP_FAILED`: failed to disassociated subnets with the Client VPN

data/lib/cfnvpn/actions/embedded.rb

@@ -50,11 +50,10 @@ module CfnVpn::Actions
 
     def download_config
       vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = vpn.get_endpoint_id()
-      CfnVpn::Log.logger.debug "downloading client config for #{@endpoint_id}"
-      @config = vpn.get_config(@endpoint_id)
+      CfnVpn::Log.logger.debug "downloading client config for #{vpn.endpoint_id}"
+      @config = vpn.get_config()
       string = (0...8).map { (65 + rand(26)).chr.downcase }.join
-      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
+      @config.sub!(vpn.endpoint_id, "#{string}.#{vpn.endpoint_id}")
     end
 
     def add_routes

data/lib/cfnvpn/actions/init.rb

@@ -35,9 +35,13 @@ module CfnVpn::Actions
     class_option :start, type: :string, desc: 'cloudwatch event cron schedule in UTC to associate subnets to the client vpn'
     class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
 
-    class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
+    class_option :saml_arn, desc: 'IAM SAML identity provider arn if using SAML federated authentication'
+    class_option :saml_self_service_arn, desc: 'IAM SAML identity provider arn for the self service portal'
     class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
 
+    class_option :slack_webhook_url, type: :string, desc: 'slack webhook url to send notifications from the scheduler and route populator'
+    class_option :auto_limit_increase, type: :boolean, default: true, desc: 'automatically request a AWS service quota increase if limits are hit for route entry and authorization rule limits'
+    
     def self.source_root
       File.dirname(__FILE__)
     end
@@ -64,7 +68,10 @@ module CfnVpn::Actions
         start: @options['start'],
         stop: @options['stop'],
         saml_arn: @options['saml_arn'],
+        saml_self_service_arn: @options['saml_self_service_arn'],
         directory_id: @options['directory_id'],
+        slack_webhook_url: @options['slack_webhook_url'],
+        auto_limit_increase: @options['auto_limit_increase'],
         routes: []
       }
     end
@@ -136,8 +143,7 @@ module CfnVpn::Actions
 
     def finish
       vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = vpn.get_endpoint_id()
-      CfnVpn::Log.logger.info "Client VPN #{@endpoint_id} created. Run `cfn-vpn config #{@name}` to setup the client config"
+      CfnVpn::Log.logger.info "Client VPN #{vpn.endpoint_id} created. Run `cfn-vpn config #{@name}` to setup the client config"
     end
 
   end

data/lib/cfnvpn/actions/modify.rb

@@ -37,6 +37,9 @@ module CfnVpn::Actions
     class_option :start, type: :string, desc: 'cloudwatch event cron schedule in UTC to associate subnets to the client vpn'
     class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
 
+    class_option :slack_webhook_url, type: :string, desc: 'slack webhook url to send notifications from the scheduler and route populator'
+    class_option :auto_limit_increase, type: :boolean, desc: 'automatically request a AWS service quota increase if limits are hit for route entry and authorization rule limits'
+
     class_option :param_yaml, type: :string, desc: 'pass in cfnvpn params through YAML file'
 
     class_option :bucket, desc: 's3 bucket'
@@ -161,8 +164,7 @@ module CfnVpn::Actions
 
     def finish
       vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = vpn.get_endpoint_id()
-      CfnVpn::Log.logger.info "Client VPN #{@endpoint_id} modified."
+      CfnVpn::Log.logger.info "Client VPN #{vpn.endpoint_id} modified."
     end
 
   end

data/lib/cfnvpn/actions/revoke.rb

@@ -42,9 +42,8 @@ module CfnVpn::Actions
 
     def apply_rekocation_list
       vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      endpoint_id = vpn.get_endpoint_id()
-      vpn.put_revoke_list(endpoint_id,"#{@cert_dir}/crl.pem")
-      CfnVpn::Log.logger.info("revoked client #{@options['client_cn']} from #{endpoint_id}")
+      vpn.put_revoke_list("#{@cert_dir}/crl.pem")
+      CfnVpn::Log.logger.info("revoked client #{@options['client_cn']} from #{vpn.endpoint_id}")
     end
 
   end

data/lib/cfnvpn/actions/routes.rb

@@ -14,7 +14,7 @@ module CfnVpn::Actions
 
     class_option :cidr, desc: 'cidr range'
     class_option :dns, desc: 'dns record to auto lookup ip'
-    class_option :subnet, desc: 'the target vpc subnet to route through, if none is supplied the default subnet is used'
+    class_option :subnets, type: :array, desc: 'target vpc subnets to route through, if none is supplied the default subnets are used'
     class_option :desc, desc: 'description of the route'
 
     class_option :groups, type: :array, desc: 'override all authorised groups on thr route'
@@ -83,15 +83,15 @@ module CfnVpn::Actions
           CfnVpn::Log.logger.warn "description for this route cannot be updated in place. To alter delete the route and add with the new description"
         end
 
-        if @options[:subnet]
-          CfnVpn::Log.logger.warn "the target subnet for this route cannot be updated in place. To alter delete the route and add with the new target subnet"
+        if @options[:subnets]
+          CfnVpn::Log.logger.warn "the target subnets for this route cannot be updated in place. To alter delete the route and add with the new target subnet"
         end
       elsif !@route && @options[:cidr]
         CfnVpn::Log.logger.info "adding new route for #{@options[:cidr]}"
         @config[:routes] << {
           cidr: @options[:cidr],
           desc: @options.fetch(:desc, ""),
-          subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
+          subnets: @options.fetch(:subnets, @config[:subnet_ids]),
           groups: @options.fetch(:groups, []) + @options.fetch(:add_groups, [])
         }
       elsif !@route && @options[:dns]
@@ -99,7 +99,7 @@ module CfnVpn::Actions
         @config[:routes] << {
           dns: @options[:dns],
           desc: @options.fetch(:desc, ""),
-          subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
+          subnets: @options.fetch(:subnets, @config[:subnet_ids]),
           groups: @options.fetch(:groups, []) + @options.fetch(:add_groups, [])
         }
       else
@@ -163,27 +163,31 @@ module CfnVpn::Actions
       end
     end
 
+    def get_routes
+      @vpn = CfnVpn::ClientVpn.new(@name, @options['region'])
+    end
+
     def cleanup_dns_routes
-      @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
       unless @dns_route_cleanup.nil?
-        routes = @vpn.get_routes()
         CfnVpn::Log.logger.info("Cleaning up expired routes for #{@dns_route_cleanup}")
-        expired_routes = routes.select {|route| route.description.include?(@dns_route_cleanup) }
+        expired_routes = @vpn.get_routes(@dns_route_cleanup)
         expired_routes.each do |route|
+          CfnVpn::Log.logger.info("Removing expired route #{route.destination_cidr} for target subnet #{route.target_subnet}")
           @vpn.delete_route(route.destination_cidr, route.target_subnet)
-          @vpn.revoke_auth(route.destination_cidr)
         end
-      end
-    end
 
-    def get_routes
-      @endpoint = @vpn.get_endpoint_id()
-      @routes = @vpn.get_routes()
+        expired_rules = @vpn.get_auth_rules(@dns_route_cleanup)
+        expired_rules.each do |rule|
+          CfnVpn::Log.logger.info("Removing expired auth rule for route #{route.destination_cidr}")
+          @vpn.revoke_auth(rule.destination_cidr)
+        end
+      end
     end
 
     def display_routes
-      rows = @routes.collect do |s|
-        groups = @vpn.get_groups_for_route(@endpoint, s.destination_cidr)
+      routes = @vpn.get_routes()
+      rows = routes.collect do |s|
+        groups = @vpn.get_groups_for_route(s.destination_cidr)
         [ s.destination_cidr, s.description, s.status.code, s.target_subnet, s.type, s.origin, (!groups.join("").empty? ? groups.join(' ') : 'AllowAll') ]
       end
       table = Terminal::Table.new(

data/lib/cfnvpn/actions/sessions.rb

@@ -29,20 +29,19 @@ module CfnVpn::Actions
       @build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
     end
 
-    def get_endpoint
+    def setup
       @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = @vpn.get_endpoint_id()
     end
 
     def kill_session
       if !@options['kill'].nil?
-        sessions = @vpn.get_sessions(@endpoint_id)
+        sessions = @vpn.get_sessions()
         session = sessions.select { |s| s if s.connection_id  == @options['kill'] }.first
         if session.any? && session.status.code == "active"
           terminate = yes? "Terminate connection #{@options['kill']} for #{session.common_name}?", :yellow
           if terminate
             CfnVpn::Log.logger.info "Terminating connection #{@options['kill']} for #{session.common_name}"
-            @vpn.kill_session(@endpoint_id,@options['kill'])
+            @vpn.kill_session(@options['kill'])
           end
         else
           CfnVpn::Log.logger.error "Connection id #{@options['kill']} doesn't exist or is not active"
@@ -51,7 +50,7 @@ module CfnVpn::Actions
     end
 
     def display_sessions
-      sessions = @vpn.get_sessions(@endpoint_id)
+      sessions = @vpn.get_sessions()
       rows = sessions.collect do |s|
         [ s.common_name, s.connection_established_time, s.status.code, s.client_ip, s.connection_id, s.ingress_bytes, s.egress_bytes ]
       end

data/lib/cfnvpn/actions/share.rb

@@ -26,11 +26,10 @@ module CfnVpn::Actions
 
     def copy_config_to_s3
       vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = vpn.get_endpoint_id()
-      CfnVpn::Log.logger.debug "downloading client config for #{@endpoint_id}"
-      @config = vpn.get_config(@endpoint_id)
+      CfnVpn::Log.logger.debug "downloading client config for #{vpn.endpoint_id}"
+      @config = vpn.get_config()
       string = (0...8).map { (65 + rand(26)).chr.downcase }.join
-      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
+      @config.sub!(vpn.endpoint_id, "#{string}.#{vpn.endpoint_id}")
     end
 
     def add_routes

data/lib/cfnvpn/actions/subnets.rb

@@ -61,13 +61,9 @@ module CfnVpn::Actions
       end
     end
 
-    def get_endpoint
-      @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
-      @endpoint_id = @vpn.get_endpoint_id()
-    end
-
     def associations
-      associations = @vpn.get_associations(@endpoint_id)
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      associations = vpn.get_associations()
       table = Terminal::Table.new(
         :headings => ['ID', 'Subnet', 'Status', 'CIDR', 'AZ', 'Groups'],
         :rows => associations.map {|ass| ass.values})

data/lib/cfnvpn/clientvpn.rb

@@ -5,6 +5,7 @@ require 'netaddr'
 module CfnVpn
   class ClientVpn
     
+    attr_reader :endpoint_id
 
     def initialize(name,region)
       @client = Aws::EC2::Client.new(region: region)
@@ -31,56 +32,71 @@ module CfnVpn
       return get_endpoint().dns_servers
     end
 
-    def get_config(endpoint_id)
+    def get_config()
       resp = @client.export_client_vpn_client_configuration({
-        client_vpn_endpoint_id: endpoint_id
+        client_vpn_endpoint_id: @endpoint_id
       })
       return resp.client_configuration
     end
 
-    def get_rekove_list(endpoint_id)
+    def get_rekove_list()
       resp = @client.export_client_vpn_client_certificate_revocation_list({
-        client_vpn_endpoint_id: endpoint_id
+        client_vpn_endpoint_id: @endpoint_id
       })
       return resp.certificate_revocation_list
     end
 
-    def put_revoke_list(endpoint_id,revoke_list)
+    def put_revoke_list(revoke_list)
       list = File.read(revoke_list)
       @client.import_client_vpn_client_certificate_revocation_list({
-        client_vpn_endpoint_id: endpoint_id,
+        client_vpn_endpoint_id: @endpoint_id,
         certificate_revocation_list: list
       })
     end
 
-    def get_sessions(endpoint_id)
+    def get_sessions()
       params = {
-        client_vpn_endpoint_id: endpoint_id,
+        client_vpn_endpoint_id: @endpoint_id,
         max_results: 20
       }
       resp = @client.describe_client_vpn_connections(params)
       return resp.connections
     end
 
-    def kill_session(endpoint_id, connection_id)
+    def kill_session(connection_id)
       @client.terminate_client_vpn_connections({
-        client_vpn_endpoint_id: endpoint_id,
+        client_vpn_endpoint_id: @endpoint_id,
         connection_id: connection_id
       })
     end
 
-    def get_routes()
-      endpoint_id = get_endpoint_id()
-      resp = @client.describe_client_vpn_routes({
-        client_vpn_endpoint_id: endpoint_id,
-        max_results: 20
-      })
-      return resp.routes
+    def get_routes(dns_route=nil)
+      routes = []
+      @client.describe_client_vpn_routes({client_vpn_endpoint_id: @endpoint_id}).each do |resp|
+        if dns_route
+          routes.concat resp.routes.select {|route| route.description.include?(dns_route) }
+        else
+          routes.concat resp.routes
+        end
+      end
+      return routes
     end
 
-    def get_groups_for_route(endpoint, cidr)
+    def get_auth_rules(dns_route=nil)
+      rules = []
+      @client.describe_client_vpn_authorization_rules({client_vpn_endpoint_id: @endpoint_id}) do |resp|
+        if dns_route
+          rules.concat resp.authorization_rules.select {|rule| rule.description.include?(dns_route) }
+        else
+          rules.concat resp.routes
+        end
+      end
+      return rules
+    end
+
+    def get_groups_for_route(cidr)
       auth_resp = @client.describe_client_vpn_authorization_rules({
-        client_vpn_endpoint_id: endpoint,
+        client_vpn_endpoint_id: @endpoint_id,
         filters: [
           {
             name: 'destination-cidr',
@@ -91,10 +107,10 @@ module CfnVpn
       return auth_resp.authorization_rules.map {|rule| rule.group_id }
     end
 
-    def get_associations(endpoint)
+    def get_associations()
       associations = []
       resp = @client.describe_client_vpn_target_networks({
-        client_vpn_endpoint_id: endpoint
+        client_vpn_endpoint_id: @endpoint_id
       })
 
       resp.client_vpn_target_networks.each do |net|
@@ -102,7 +118,7 @@ module CfnVpn
           subnet_ids: [net.target_network_id]
         })
         subnet = subnet_resp.subnets.first
-        groups = get_groups_for_route(endpoint, subnet.cidr_block)
+        groups = get_groups_for_route(subnet.cidr_block)
         
         associations.push({
           association_id: net.association_id,